Follow Us On Social Media

Mac users need to beware of a newly discovered piece of malware that steals their web browser cookies and credentials in an attempt to withdraw funds from their cryptocurrency exchange accounts.

Dubbed CookieMiner due to its capability of stealing cookies-related to cryptocurrency exchanges, the malware has specifically been designed to target Mac users and is believed to be based on DarthMiner, another Mac malware that was detected in December last year.

When talking about the targeted cryptocurrency exchanges and wallet services, CookieMiner was found targeting Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet, and any website having "blockchain" in its domain and using cookies to track their users temporarily.

By leveraging the combination of stolen login credentials, web cookies, and SMS data, it would be possible for an attacker to even bypass two-factor authentication for exchange sites and steal cryptocurrencies from the victim's accounts and wallets.

"If only the username and password are stolen and used by a bad actor, the website may issue an alert or request additional authentication for a new login," the researchers explained in their blog post published Thursday.

"However, if an authentication cookie is also provided along with the username and password, the website might believe the session is associated with a previously authenticated system host and not issue an alert or request additional authentication methods."

It should be noted that researchers have not yet found any evidence of the attackers successfully withdrawing funds from any user's wallet or account, but are speculating based on the malware's behavior.

EmPyre is a Python post-exploitation agent that checks if the Little Snitch application firewall is running on the victim's machine and if it finds one, it will stop and exit. The agent can also be configured to download additional files.

Although it is unclear how the CookieMiner malware is pushed to the victims at the first place, it is believed that the users are tricked into downloading tainted software onto their machines which delivers the malware.

Palo Alto Networks has already contacted targeted cryptocurrency exchanges and wallet services, along with Apple and Google, and reported the issue.

Since the researchers believe that the CookieMiner campaign is still active, the best way to prevent falling victim to such malware attacks is to avoid saving your credentials or credit card information within your web browsers and, not to mention, avoid downloading apps from third-party platforms.

You should also consider clearing your cookies when visiting the banking or financial accounts, and "keep an eye on their security settings and digital assets to prevent compromise and leakage," researchers advised.